Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to edit my dashboard searches as I change the time range from Last Hour to Last 30 Days and maintain or improve performance?

ashabc
Contributor
‎02-23-2015 02:36 AM

I have a dashboard that displays a number of charts taking into account the last one hour of data and automatically refreshes every 5 minutes. It works fine.

Now my management wants the similar chart for last one month's data instead of last one hour. Obviously, if I try to run my search as is with last 30 days data, it runs like a snail, which is expected.

Can anyone suggest me clue as how to make it faster? Is summary index a good option or there are other ways to run searches faster? I have listed the search commands that I used in my dashboard below:

index=webproxy eventtype=ironport_proxy | eval download=sc_bytes/1024/1024 | stats sum(download) by host

index=webproxy eventtype=ironport_proxy |  stats count by "Display Name" | sort limit=10 count desc

index=webproxy eventtype=ironport_proxy | eval MegaByte=sc_bytes/1048576 | stats max(MegaByte) by "Display Name" | sort limit=10 max(MegaByte) desc

index=webproxy eventtype=ironport_proxy | eval MegaByte=sc_bytes/1048576 | stats max(MegaByte) by c_ip | sort limit=10 max(MegaByte) desc

index=webproxy eventtype=ironport_proxy  | rex field=cs_url "\/\/(?P<s_hostname>[^/]*)" | eval MegaByte=sc_bytes/1048576 | stats max(MegaByte) by s_hostname | sort limit=10 max(MegaByte) desc

index=webproxy eventtype=ironport_proxy | stats count by c_ip | sort limit=10 -count

index=webproxy eventtype=ironport_proxy s_hostname!="-" sc_bytes=* | bucket _time span=1w | eval download=sc_bytes/1024/1024 | eval minute=strftime(_time,"%H:%M") | chart sum(download) over minute by host
Reply

mzorzi
Splunk Employee
Splunk Employee
‎02-23-2015 03:02 AM

It looks like your searches are well formatted already.

Since you are running stats command, you should build a summary index with the sistats command.

Other alternatives are to create and accelerated data models: http://docs.splunk.com/Documentation/Splunk/6.2.1/Knowledge/Aboutdatamodels . This will help you to provide a fast and easy way to your management to build reports.

Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...